Can New Technology Make Credit Cards Safer?

The monthly statement for your credit card arrives and there it is: a $5,000 charge for an extravagant shopping spree. Except you didn’t go on any shopping spree. That’s because your card was hacked — and you’re now seeing the glaring results.

Credit card theft and fraud is certainly nothing new, but a number of high-profile hacking incidents in the past year, perpetrated against retailers such as
Target, Neiman Marcus and Michaels, have gotten lots of people talking about the inherent security weaknesses of these cards. The FBI has even warned retailers that more attacks designed to steal credit and debit card data at the point of sale are likely to come.

Despite credit card hacking becoming a multi-million dollar business for thieves, new technologies are emerging to make payment devices more secure.

(Photo Source: iStock)

Alternatives for an outmoded system

While the technology for detecting credit card fraud is getting increasingly sophisticated, experts say the swipe technology that’s still so broadly used today for credit card transactions is hopelessly outdated.

“It has been out of date for at least 20 years,” says Avivah Litan, vice president and analyst at research firm Gartner. “But it’s very prevalent, and it’s hard to rip out existing payment systems. There have been a lot of controls put around [swipe systems]. But they haven’t worked very well in terms of theft of data. They have worked well for detecting fraud.”

However, new alternatives to magnetic-strip cards are emerging that promise more security. One is tokenization, which involves replacing sensitive data with a unique identifier that can’t be mathematically reversed. With this technology, sensitive payment data can be converted into a "token," and either stored or transmitted, says Andrew Szente, vice president for government affairs at the Retail Industry Leaders Association (RILA), a trade organization that represents retailers, product manufacturers and service suppliers. In effect, the tokens take the place of sensitive card data.

“The token is valueless if intercepted, but can be converted back into usable information by the proper parties,” such as issuing banks, Szente says. “Ideally tokenization would occur at the terminal and carry through the entire transaction,” a process known as end-to-end tokenization.

Then there’s point-to-point encryption, which ensures that sensitive data is protected from the first card swipe, while it’s in transit, all the way to the payment processor. But this method requires an upgrade of merchant card readers, so it’s relatively time consuming and expensive, Litan says. The system also needs to be certified by the Payment Card Industry (PCI) to ensure it’s truly secure, she adds.

Another technology that’s gaining traction is “Chip and PIN,” where cards are embedded with a microchip and authenticated automatically using a PIN. When a customer pays, the card is placed into a point-of-sale terminal or modified swipe-card reader, which accesses the chip on the card. When the card has been verified, the customer enters a PIN. If the numbers match, the chip tells the device to continue with the transaction.

“Credit card hacking is increasing in frequency in the United States, partially because we are one of the few remaining countries to adopt more [secure] chip and PIN technology,” Szente says. “Many European countries have used this more secure technology for decades. In the U.S., we are already starting to see some card issuers issue their cards with these chips and many large merchants already have the chip readers in place today.”

New card technologies do not require huge technology upgrades, Litan says. “All these data protection technologies are here today, it’s just a matter of people spending the money and upgrading,” she says. She estimates that about 30 percent of large retailers are already planning or undertaking upgrades of their point-of-sale card reader technology for chip-card acceptance and point-to-point encryption.

“I suspect you will see a large number of chip cards and chip terminals in the [U.S.] market by October 2015, the date that
Visa and MasterCard have set up to begin the migration on broad scale,” Szente says.

Even using low-tech methods of cardholder authentication, such as a PIN, could make a difference for cardholders. The Federal Reserve says that simply adding a PIN to debit cards makes them 700 percent more secure than simply signing for a transaction, Szente says.

However, card-issuing banks have resisted requiring PINs on transactions, Szente says. “Most retailers could accommodate a PIN requirement right away,” he says. “Issuing banks have discouraged PIN [use] historically because they are able to charge merchants more on transactions that occur without a PIN.”

In January, RILA called for collaboration across the debit and credit card markets to require PINs on all retail transactions, the retirement of antiquated magnetic stripe systems, and a migration to chip and PIN technology.

Consumers can expect to see some of these technologies arriving in the mail with their new cards soon. Credit and debit cards generally have a three-year lifecycle, and as older cards require replacement “you will start to see a greater share of chip cards being issued in the market,” Szente adds.

Bob Violino is an award-winning freelance writer and editor who covers information technology, consumer electronics and business topics. He has held senior editorial positions at publications including InformationWeek and InternetWeek.